A quick update on the Java EE front this morning: David Delabassee has confirmed in an Aquarium blog post that the Expert Group (EG) for JSR 375 – the Java EE Security API, geared at overhauling and modernising EE security API portability and simplicity – has now been established.
As Delabassee has previously written on the GlassFish blog, with the inherent need to interact with different components (ie. when the Java EE Application Server needs to communicate with a LDAP server) maintaining and evolving security features for the platform can be an uphill task. With JSR 375, the intention is to promote the use of modern programming language (eg. expression language and contexts and dependency injection), and to support self-contained application portability across all Java EE servers.
Following extensive consultation by Oracle with the Java community via a series of surveys around Java EE 8, it’s also been established that this JSR will strive to “simplify, standardize, and modernize the Security API across the platform” in line with community demand and submitted JIRA issues.
JSR 375 also proposes enhancements in the following areas: adaptations to standardize user management, syntax for indicating passwords stored in secure repositories with updated password aliasing, and definition and standardization of a ‘role service’ API with the role mapping feature. There’s also scope for a new CDI interceptor annotation to enable devs to perform application-domain rules at the method level, as well as enhancements to authentication processes.
The group will consist of the following individuals, who between them represent seven different companies: Adam Bien, Rudy De Busscher, Les Hazlewood (Stormpath, Inc.), Werner Keil, Darran Lofthouse (RedHat), Pedro Igor Silva (RedHat), David Blevins (Tomitribe), Ivar Grimstad, Will Hopkins (Oracle), Matt Konda (Jemurai), Jean-Louis Monteiro (Tomitribe), and Arjan Tijms (ZEEF). It’s also expected that a participant from IBM will join the conversation at some point.
Now that the EG has been established, the real meaty technical discussions can get going. Among other things, the EG will need to consider how best to leverage Java EE orthogonal technologies (for example CDI events and Expression Language) to simplify the use of the new security APIs. Delabassee comments that there will be further discussions around the issue at the upcoming JavaLand event, taking place later this month in Germany, as well as a specific session around JSR 375 at Devoxx France in April. You can also follow the conversation on the Java Security EG mailing list.